Encyclopedia of Information Science and Technology, Fourth Edition (10 Volumes) Now Available

For a limited time, take 5% off plus free standard shipping. Additionally, receive the complimentary e-books for the first, second, and third editions with the purchase of the Encyclopedia of Information Science and Technology, Fourth Edition e-book.

Abstract

It has been very evident from data breaches from last few years that attackers are increasingly targeting the path of least resistance to compromise the security of organizations. Cyber security threats that exploit human behavior are becoming sophisticated and difficult to prevent against. At the same time humans are the countermeasures that can adapt swiftly to changing risk landscape than technological and procedural countermeasures. Organizations are implementing and enhancing their security awareness and training programs in an attempt to ensure that risks from human elements, which pose the greatest risks, are mitigated. The chapter conducts a thorough literature review in the area of security awareness and training and presents a classification scheme and a conceptual research model to provide insights into the existing body of knowledge in the area. Trends and analyses are also presented from the reviewed papers, which can be of importance to organizations in improving their security awareness programs. The insights from the study can be leveraged to build a strong human wall against both internal and external threats that are fast evolving and causing tremendous amount of loss.

2. Background

It has been consistently shown through numerous surveys and studies that most of the data breaches happen due to insiders’ oversight or mistakes. It is usually the non-malicious and uninformed employees that lead to the breaches. The number of layers of technological defense can be as strong as possible but the people working and supporting these technologies are always vulnerable. Users with little security awareness are the biggest risks to the organization. Breaches after breaches has shown us that only a minor slip up is enough to put the whole security program for any company at huge exposure. Technology alone cannot provide protection against information security and privacy risks and people are the most important line of defense who are responsible for ensuring that risks are managed in accordance with specific risk appetite and tolerance for the company (Tipton and Krause, 2007; IT Governance Institute, 2008). Focusing only on technical countermeasures is not enough for mitigating information security risks (Mitnick and Simon, 2003). Employees of the company need to be trained and educated on security best practices, policies, compliance requirements, implemented controls, expectations for risk mitigation as part of a security awareness program (Ashenden, 2008; Williams, 2008).